[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] ps -aux sendmail and netstat

Subject: Re: [cobalt-security] ps -aux sendmail and netstat
From: Graeme Fowler <graeme.f@xxxxxxxxxxxxxxx>
Date: Thu, 24 May 2001 13:53:50 +0100 (BST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Carrie wrote:
> I'm hoping someone can decipher this for me.
> When I run a netstat I get:
> tcp        0     53 www.mydomain:smtp 210.111.141.124:1709 FIN_WAIT1
> This was "ESTABLISHED" until I stopped sendmail for a few minutes and
> then restarted it.

It just means the IP stack has gone into WAIT mode, waiting on its' own
internal timer before it kills the open connection. If it's ESTABLISHED
then it means that the open sockets at both ends have exchanged an ACK
with the right sequence number in the period since the last timer started
running.

Stopping sendmail will not necessarily close established connections -
it'll merely stop the daemon from listening. All you're seeing here is a
mail transaction that recently ended.

> root     27837  0.0  1.1  2636 1448 ?        S    14:15   0:00
> sendmail: q4/f4NA8a102794 mail.elvisisthebomb.com.: user open
>
> That last line WORRIES me. Have I been haqd?

Nope.

The sendmail 'listener' (the 'accepting connections' process) works as
follows:

Listen on port 25
Accept connection from remote mailer
Spawn child process to handle remote connection
Hand control of remote connection to child process and go back to
listening

The child process then reports a sequence of states which you'd have to be
really, really quick to see :)

'user open' just means that the two ends are in the process of negotiating
the connection to handle the inbound message. If it stays like that for a
long time, then the two ends are having communication problems. I have
noticed that exact message on one of our mailservers, and if I look in the
logs I see:

May 24 11:51:07 redirect sendmail[11052]:
	AAA16729: to=<******@elvisisthebomb.com>, delay=1+11:11:39,
	xdelay=00:00:00, mailer=esmtp, relay=mail3.elvisisthebomb.com.,
	stat=Deferred: Connection timed out with mail3.elvisisthebomb.com.

So it looks like elvisisthebomb.com's mailservers are broken, or something
else is stopping inbound connections to port 25 on their MX machines.

> How can I tell what port this guy is running on, or how can I kill his
> connection? I can't find him with "top" because I can't get it to give
> me remote info.

You don't need to as it's a legitimate connection :)

Graeme
-- 
Graeme Fowler
Systems Administrator
Host Europe Group plc

Follow-Ups:
- [cobalt-security] How to create bogus bannerring for ftp, http and sendmail
  - From: Rob van Eijk

Prev by Date: Re: [cobalt-security] ps -aux sendmail and netstat
Next by Date: Re: [cobalt-security] ps -aux sendmail and netstat
Previous by thread: RE: [cobalt-security] ps -aux sendmail and netstat
Next by thread: [cobalt-security] How to create bogus bannerring for ftp, http and sendmail

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index